Gian Marco Lenzi (Var Group): “Var Group provides technologically robust and legally sound cybersecurity strategies”

What challenges does the company face in ensuring compliance with the GDPR framework, particularly when handling sensitive client data and integrating secure systems on a global scale?
As a result of its M&A activity in recent years, Var Group has become a fully fledged multinational, present in more than 10 countries worldwide (including the US and India). As such, it faces the complexity inherent in ensuring GDPR compliance in diverse regulatory environments. In terms of best practices for (not only) European companies, the GDPR is seen as the gold-standard and Var Group’s global policies are based on its regulatory pillars. Because of this, we need to rise to the challenge posed by local differences and deviations from the GDPR, which is not easy due to ever-changing regulatory frameworks, for example the new data-protection act in India. Moreover, the integration of secure, scalable digital systems must be balanced with the lawful, fair and transparent processing of personal data – particularly when dealing with sensitive categories or cross-border data flow.

To address these challenges, Var Group has implemented a centralized data-protection governance model supported by local expertise. Our approach is, as previously stated, GDPR based, and rooted in principles of accountability, risk-management proactivity and privacy by design and by default. This includes embedding data-protection impact assessments (DPIAs) into our project lifecycles, ensuring data-minimization through technical and organizational controls and adopting strong technical and organizational measures (TOMs). As Group DPO, my mandate is to ensure not only regulatory compliance but also to foster a privacy centric culture across all business units.

Cyberthreats are a critical concern for businesses today. How does Var Group help its clients strengthen cybersecurity while maintaining operational efficiency?
The convergence of cybersecurity and data-protection regulations – such as GDPR, NIS2 and sector-specific obligations like DORA regulations – demands a strategic and integrated legal/IT/privacy response. Var Group helps clients develop cybersecurity postures that are not only technologically robust, but legally sound also.

Unfortunately, some key laws, such as NIS2, are European directives and this adds complexity due to local deviations and different stages of implementation from one European country to the next. This heavily impacts multinational companies that seek clarity and have to build an expensive strategy to fit the more demanding of NIS2’s regulatory requirements (e.g. the 24-hour notification duty when a significant incident occurs).

The integration of secure, scalable digital systems must be balanced with the lawful, fair and transparent processing of personal data

We provide services that align with best practices and standards, including ISO/IEC 27001, CIS controls and the NIST framework, while also addressing legal obligations under data-breach-notification regimes and contractual security requirements.

Our cybersecurity strategy emphasizes threat modelling, continuous monitoring and incident response readiness. Crucially, we ensure that these measures are implemented in a way that supports business continuity and operational resilience, thus allowing clients to meet both security and regulatory expectations, without undermining the efficiency of their operations. 

The AI Act introduces new regulatory requirements. How does this piece of legislation impact the development and implementation of AI-driven solutions?
The adoption of the EU AI Act has led to a paradigm shift in how organizations must design, develop and/or deploy AI systems. At Var Group, we view this as an opportunity to further institutionalize principles of ethical and lawful AI usage.

We have aligned our internal governance structures with the AI Act’s risk-based framework, particularly in the context of high-risk systems, which involve strict obligations when it comes to transparency, human oversight, data quality and post-market monitoring. Our teams actively incorporate algorithmic accountability mechanisms ─ including documentation trails, bias detection protocols and auditing capabilities ─ in their work.

From a legal standpoint, there is a lot of uncertainty anyway, regarding the practical implementation of the EU AI Act: for instance, the Prohibited AI Practices definitions are quite generic and written in a way that’s open to different interpretations and which leads to edge cases. What’s more, we are assessing overlaps with existing GDPR obligations, ensuring coherent application of both frameworks in AI deployment scenarios (e.g. notably a quite interesting potential discrepancy between Article 22 of the GDPR’s and Article 14 of the EU AI ACT’s Human Oversight Principle for High-Risk AI). 

Given these technological and regulatory changes, what strategies does the company adopt to stay ahead of the curve?
Given the accelerating pace of digital regulation and technological innovation, Var Group is actively reinforcing its strategic foresight capabilities. Internally, we are investing in compliance-by-design methodologies and cross-disciplinary training that unites legal, IT security and engineering functions. I want to emphasize how important dialogue between IT and Legal within the enterprise is, when it comes to tackling these new regulatory challenges.

Externally, we maintain active engagement with regulatory bodies, industry alliances and academic institutions in order to anticipate legislative developments – from the Data Act to the Cyber Resilience Act. Unfortunately, we have noticed a lack of guidelines from institutions regarding these new – often quite complex – sets of laws. Our overarching goal is to position Var Group not only as a provider of digital solutions but as a legally reliable partner for navigating the complexities of digital transformation.